WAFFle: Fingerprinting Filter Rules of Web Application Firewalls
|
|
|
- Alexina Ford
- 10 years ago
- Views:
Transcription
1 WAFFle: Fingerprinting Filter Rules of Web Application Firewalls Isabell Schmitt, Sebastian Schinzel* Friedrich-Alexander Universität Erlangen-Nürnberg Lehrstuhl für Informatik 1 IT-Sicherheitsinfrastrukturen
2 Talk presented at 6th USENIX Workshop on Offensive Technologies (WOOT 2012) Full paper: Full video of talk: 2
3 Introduction: Web Application Firewalls Web Application Firewalls intercept web requests filter requests to prevent attacks Internet Demilitarized Zone Intranet Web Server uses filter rules for detecting common attack patterns Passed Request Blocked Request blind for new attack patterns 3
4 Introduction: Web Application Firewalls Web Application Firewalls intercept web requests filter requests to prevent attacks Internet Demilitarized Zone Intranet Web Server uses filter rules for detecting common attack patterns Passed Request Blocked Request blind for new attack patterns If attacker knows active filter rule set, he can search for loopholes in the rule set What can the attacker learn about the active filter rule set of a WAF? 3
5 WAFfle: Fingerprinting Filter Rules of Web Application Firewalls Idea behind WAFfle 1. Generate polymorphic representations of exploit code (e.g. <script>alert(23);</script>, <script_>alert(23);</script>, <script >alert(23);</script> <script >alert(23);</script>) 2. Send to web app and measure response time 3. Analyse response time Internet Passed Request Blocked Request Demilitarized Zone Intranet Web Server 4
6 WAFfle: Fingerprinting Filter Rules of Web Application Firewalls Idea behind WAFfle Demilitarized Zone Intranet Web Server 1. Generate polymorphic representations of exploit code (e.g. <script>alert(23);</script>, <script_>alert(23);</script>, <script >alert(23);</script> <script >alert(23);</script>) 2. Send to web app and measure response time Internet 4 Passed Request Blocked Request 3. Analyse response time
7 Introduction: Web Application Firewalls Demilitarized Zone Intranet Web Server Internet Passed Request Blocked Request 5
8 Introduction: Web Application Firewalls Internet Demilitarized Zone Intranet Web Server 6
9 Introduction: Web Application Firewalls Internet Demilitarized Zone Intranet Web Server 7
10 WAFfle: Results Internet Demilitarized Zone Intranet Web Server mod_security filtering as web application plugin 8
11 WAFfle: Results Internet Demilitarized Zone Intranet Web Server mod_security filtering as web application plugin 8
12 WAFfle: Results Results All three scenarios allow to distinguish blocked from passed requests by observing response times With no repetitions, >95% of single requests already correctly determine blocked and passed requests 1(a) 1(b) 1(c) 9
13 WAFfle: Results Results All three scenarios allow to distinguish blocked from passed requests by observing response times With no repetitions, >95% of single requests already correctly determine blocked and passed requests 1(a) 1(b) 1(c) 9
14 WAFfle: Cross Site Timing Attack One more thing... We re on the web, and the web allows cross site requests Extend WAFfle for Cross Site Request Forgery (Cross Site Timing Attack) 10
15 WAFfle: Cross Site Timing Attack One more thing... We re on the web, and the web allows cross site requests Extend WAFfle for Cross Site Request Forgery (Cross Site Timing Attack) Web User 2) Victim Web Application Web Browser 3) WAF 4) Sends Measurements Attacker 1) Visits 10 Web Site
16 WAFfle: Cross Site Timing Attack One more thing... We re on the web, and the web allows cross site requests Extend WAFfle for Cross Site Request Forgery (Cross Site Timing Attack) Generate Javascript code that attacker embeds on web page Web User 2) Victim Web Application Attacker tricks other users to visit web page other users perform measurement and send measurements to attacker 3) Web Browser 4) Sends Measurements Attacker WAF 1) Visits 10 Web Site
17 WAFfle: Cross Site Timing Attack Cross Site Timing Attack 11
18 Thanks! Discussion. 12
WAFFle: Fingerprinting Filter Rules of Web Application Firewalls
Email: [email protected] Twitter: @seecurity WAFFle: Fingerprinting Filter Rules of Web Application Firewalls Isabell Schmitt, Sebastian Schinzel* Friedrich-Alexander Universität Erlangen-Nürnberg
Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection
Web Application Attacks And WAF Evasion
Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering
Where every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
Data Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
Pwning Intranets with HTML5
Javier Marcos de Prado Juan Galiana Lara Pwning Intranets with HTML5 2009 IBM Corporation Agenda How our attack works? How we discover what is in your network? What does your infrastructure tell us for
Integrating Web Application Security into the IT Curriculum
Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework [email protected] keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
Web-Application Security
Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice
Network Security Exercise #8
Computer and Communication Systems Lehrstuhl für Technische Informatik Network Security Exercise #8 Falko Dressler and Christoph Sommer Computer and Communication Systems Institute of Computer Science,
Malicious Websites uncover vulnerabilities (browser, plugins, webapp, server), initiate attack steal sensitive information, install malware, compromise victim s machine Malicious Websites uncover vulnerabilities
Security Research Advisory IBM inotes 9 Active Content Filtering Bypass
Security Research Advisory IBM inotes 9 Active Content Filtering Bypass Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 7 Active Content Filtering Bypass Advisory
Network Security Web Security
Network Security Web Security Anna Sperotto, Ramin Sadre Design and Analysis of Communication Systems Group University of Twente, 2012 Cross Site Scripting Cross Side Scripting (XSS) XSS is a case of (HTML)
Security Testing with Selenium
with Selenium Vidar Kongsli Montréal, October 25th, 2007 Versjon 1.0 Page 1 whois 127.0.0.1? Vidar Kongsli System architect & developer Head of security group Bekk Consulting Technology and Management
BlackBerry Enterprise Server for Microsoft Office 365 preinstallation checklist
BlackBerry Enterprise Server for Microsoft Office 365 preinstallation checklist This document lists the preinstallation requirements that must be met before you install the BlackBerry Enterprise Server
JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City
JOOMLA SECURITY by Oliver Hummel ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City CONTACT Nicholas Butler 051-393524 089-4278112 [email protected] Contents Introduction 3 Installation
ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
IJMIE Volume 2, Issue 9 ISSN: 2249-0558
Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance
Guidelines for Web applications protection with dedicated Web Application Firewall
Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security
White Paper Secure Reverse Proxy Server and Web Application Firewall
White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security
Testnet Summerschool. Web Application Security Testing. Dave van Stein
Testnet Summerschool Web Application Security Testing Dave van Stein Welcome Your coach for today Dave van Stein Security Consultant Web Application Penetration Tester Purpose of today s workshop Creating
ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION
ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution
Cross Site Scripting Prevention
Project Report CS 649 : Network Security Cross Site Scripting Prevention Under Guidance of Prof. Bernard Menezes Submitted By Neelamadhav (09305045) Raju Chinthala (09305056) Kiran Akipogu (09305074) Vijaya
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Nethemba All About Security Highly experienced certified IT security experts (CISSP, C EH, SCSecA) Core
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like
HTML5 and security on the new web
HTML5 and security on the new web By James Lyne, Director of Technology Strategy There are lots of changes happening to the key technologies that power the web. The new version of HTML, the dominant web
Note: This App is under development and available for testing on request. Note: This App is under development and available for testing on request. Note: This App is under development and available for
Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly
Securing Internet Facing Applications Ten years ago protecting the corporate network meant deploying traditional firewalls and intrusion detection solutions at the perimeter of the trusted network in order
Web Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
ensuring security the way how we do it
ensuring security the way how we do it HUSTEF, 2015.11.18 Attila Tóth 1 Nokia Solutions and Networks 2014 Disclaimer The ideas, processes, tools are presented from a practitioner s point of view working
The Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions [email protected] Agenda Current State of Web Application Security Understanding
Gateway Apps - Security Summary SECURITY SUMMARY
Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference
Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins
Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you
Web Intrusion Detection with ModSecurity. Ivan Ristic <[email protected]>
Web Intrusion Detection with ModSecurity Ivan Ristic Aim of This Talk Discuss the state of Web Intrusion Detection Introduce ModSecurity Introduce an open source web application
Intrusion detection for web applications
Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities
Recommended Practice Case Study: Cross-Site Scripting. February 2007
Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber
AppDefend Application Firewall Overview
AppDefend Application Firewall Overview May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Agenda Web Application Security AppDefend Overview Q&A 1 2 3 4 5 Oracle EBS Web Architecture
Web Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel [email protected]
Table of Contents. Page 2/13
Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities
How Web Application Security Can Prevent Malicious Attacks
Securing Enterprise Web Applications for Critical Data Protection and PCI-DSS Compliance Selecting the Right Technology is Essential in Guarding Against Malicious Attacks White_Paper As today s organizations
Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity2
Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity2 Schoolwires Centricity2 LDAP Table of Contents Introduction... 1 About LDAP... 2 Primary Benefit of LDAP Authentication... 2 LDAP Servers
Preparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense Chuck Willis [email protected] Black Hat DC 2008 February 20, 2008 About Me Principal Consultant with MANDIANT in Alexandria, VA Full spectrum
Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks
Bypassing NoScript Security Suite March 2016 Mazin Ahmed [email protected] @mazen160 Table of Contents Abstract... 3 Introduction... 3 Research... 4 Solution... 7 Recommendations... 7 Notes... 7 Disclosure
EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS
EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS SEPTEMBER 2015 MAZIN AHMED [email protected] @MAZEN160 Table of Contents Topic Page Number Abstract 3 Introduction 3 Testing Environment 4 Products
SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER OCIO-6013-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS
Security features of ZK Framework
1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures
A Tale of the Weaknesses of Current Client-Side XSS Filtering
Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering Martin Johns, Ben Stock, Sebastian Lekies About us Martin Johns, Ben Stock, Sebastian Lekies Security Researchers at SAP, Uni
Web Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
Chapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
Web Application Security
E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary
Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0
Offensive Security Advanced Web Attacks and Exploitation v. 1.0 Mati Aharoni Devon Kearns Course Overview The days of porous network perimeters are fading fast as services become more resilient and harder
WEB ATTACKS AND COUNTERMEASURES
WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
BYOD Guidance: Architectural Approaches
GOV.UK Guidance BYOD Guidance: Architectural Approaches Published Contents 1. Service separation 2. Scenario 1: Exposing internal web applications 3. Scenario 2: Exposing email, calendar and contacts This
OCR LEVEL 3 CAMBRIDGE TECHNICAL
Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT WEB SERVER SCRIPTING A/601/0443 LEVEL 3 UNIT 26 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 WEB SERVER SCRIPTING A/601/0443
Step into the Future: HTML5 and its Impact on SSL VPNs
Step into the Future: HTML5 and its Impact on SSL VPNs Aidan Gogarty HOB, Inc. Session ID: SPO - 302 Session Classification: General Interest What this is all about. All about HTML5 3 useful components
Advanced Web Technology 10) XSS, CSRF and SQL Injection 2
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation
From the Bottom to the Top: The Evolution of Application Monitoring
From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:
ModSecurity as Universal Cross-platform Web Protection Tool
ModSecurity as Universal Cross-platform Web Protection Tool Ryan Barnett Greg Wroblewski Abstract For many years ModSecurity was a number one free open source web application firewall for the Apache web
Implementation of Web Application Firewall
Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,
Web Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS Ben Stock, Martin Johns, Sebastian Lekies Browser choices Full disclosure: Ben was an intern with Microsoft
National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research
National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?
Hacking Intranet Websites from the Outside (Take 2) Fun With & Without JavaScript Malware
Hacking Intranet Websites from the Outside (Take 2) Fun With & Without JavaScript Malware July 2007 Jeremiah Grossman Founder and CTO, WhiteHat Security A WhiteHat Security Whitepaper 3003 Bunker Hill
Firewall Environments. Name
Complliiance Componentt DEEFFI INITION Description Rationale Firewall Environments Firewall Environment is a term used to describe the set of systems and components that are involved in providing or supporting
2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.
2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program. Entry Name HFA Submission Contact Phone Email Qualified Entries must be received by
1 Web Application Firewalls implementations, common problems and vulnerabilities
Bypassing Web Application Firewalls Pavol Lupták [email protected] CEO, Nethemba s.r.o Abstract The goal of the presentation is to describe typical obfuscation attacks that allow an attacker to
Chapter 8 Network Security
[Computer networking, 5 th ed., Kurose] Chapter 8 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 84Securing 8.4 e-mail 8.5 Securing TCP connections: SSL 8.6 Network
Wordpress Security. A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K
Wordpress Security A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K So about wordpress. The number one website and blogging software
Bust a cap in a web app with OWASP ZAP
The OWASP Foundation http://www.owasp.org Bust a cap in a web app with OWASP ZAP Adrien de Beaupré GSEC, GCIH, GPEN, GWAPT, GCIA, GXPN ZAP Evangelist Intru-Shun.ca Inc. SANS Instructor, Penetration Tester,
Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter [email protected]
CS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
Table of Contents. Application Vulnerability Trends Report 2013. Introduction. 99% of Tested Applications Have Vulnerabilities
Application Vulnerability Trends Report : 2013 Table of Contents 3 4 5 6 7 8 8 9 10 10 Introduction 99% of Tested Applications Have Vulnerabilities Cross Site Scripting Tops a Long List of Vulnerabilities
Some Notes on Web Application Firewalls
Some Notes on Web Application Firewalls or Why You still Get Owned #whoami Member of Application Security Team, ERNW GmbH Contact: ERNW GmbH Frank Block Breslauer Str. 28 69124 Heidelberg Email: [email protected]
Security Certification of Third- Parties Applications
Security Certification of Third- Parties Applications Stanislav Dashevskyi [email protected] Advisors: Fabio Massacci, Antonino Sabetta Agenda Introduction Third-party code in web applications Third-party
SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting
SECURITY ADVISORY December 2008 Barracuda Load Balancer admin login Cross-site Scripting Discovered in December 2008 by FortConsult s Security Research Team/Jan Skovgren WARNING NOT FOR DISCLOSURE BEFORE
LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages
LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,
We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013
We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013 Sven Vetsch Partner & CTO at Redguard AG www.redguard.ch Specialized in Application Security (Web, Web-Services, Mobile,
Hack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
Web Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
MetaXSSploit. Bringing XSS in Pentesting A journey in building a security tool. Claudio Criscione @paradoxengine
` MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine /me No Aff XSS And how a security tool is born! Relevant? Web Application Security Statistics
Web Application Firewall (WAF) Guide. Web Application Firewall を 理 解 するための 手 引 き A Handbook to Understand Web Application Firewall
Web Application Firewall (WAF) Guide 2 nd Edition Web Application Firewall を 理 解 するための 手 引 き A Handbook to Understand Web Application Firewall IT SECURITY CENTER, INFORMATION-TECHNOLOGY PROMOTION AGENCY,
Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important
Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important System administrators are advised to read. Overview and Use of this Guide Objectives This guide provides additional
Sitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
SAP: Session (Fixation) Attacks and Protections
www.taddong.com SAP: Session (Fixation) Attacks and Protections (in Web Applications) Raul Siles [email protected] April 15, 2011 VII OWASP Spain Chapter Meeting Copyright 2011 Taddong S.L. Todos los derechos
Learn Ethical Hacking, Become a Pentester
Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,
Developing ASP.NET MVC 4 Web Applications MOC 20486
Developing ASP.NET MVC 4 Web Applications MOC 20486 Course Outline Module 1: Exploring ASP.NET MVC 4 The goal of this module is to outline to the students the components of the Microsoft Web Technologies
VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso
VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.
QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015
QualysGuard WAS Getting Started Guide Version 4.1 April 24, 2015 Copyright 2011-2015 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.
Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek ([email protected])
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek ([email protected]) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
Neural Network Approach to Web Application Protection
Neural Network Approach to Web Application Protection Jane Jaleel Stephan, Sahab Dheyaa Mohammed, and Mohammed Khudhair Abbas Abstract The rapid growth of internet has created many services, which have
MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May 2010. Contents
Contents MWR InfoSecurity Security Advisory BT Home Hub SSID Script Injection Vulnerability 10 th May 2010 2010-05-10 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical